I would expect that you would find more buffer overflows in badly written format parsers rather than actual XSS vectors. As embedded objects cant directly access the DOM, you would have to rely on JS/HTML/Web/XMLRPC support in the player.

If you are making this your thesis I would expect that you had something more specific in mind, so please feel free to share more information for better pointers.